How to make a profit on cyber coverage
How does the industry make cyber insurance a viable and profitable line of business going forward?
“I would say cyber is a viable and profitable business line,” said Neal Jardine, global cyber risk intelligence and claims director with Boxx Insurance. “I don’t believe cyber is broken. I believe it’s not sustainable if the approach to managing cyber risks is the same as it was five years ago, but that isn’t the case.
“Cyber threats are constantly changing and we as an industry need to continue to adapt and enhance our approach.”
Security controls have improved over the past few years and cyber insurers now often require businesses to implement multi-factor authentication and patch systems regularly. But hackers are responding by changing their attack vectors.
For example, cybercriminals have already determined ways to bypass text-based authentication, thus requiring the industry to adapt.
When it comes to cyber risk, an ounce of prevention is worth a pound of cure, and education is a key part of the equation. Brokers and their clients need to understand how cyber is evolving.
“Historically, the communication hasn’t been there to help make sure people understand how it’s evolving, how it’s ever-changing,” said Jardine. “Information needs to flow to the frontline brokerages and it needs to flow early, which is why we engage six months before the renewal process.”
Reaction time
Ten to 15 years ago the cyber product was a ‘reactive’ incident response policy, said Lindsey Nelson, cyber development leader at CFC Underwriting.
“Then it evolved to security services and insurers starting to bring cyber claims response and technical incident response in-house, in reaction to cyber claims evolving,” she said. “We’re now looking to prevent cyberattacks for clients so that it doesn’t even need to trigger the policy in the first place.
“The policy’s evolved. It’s not been broken, but it does require innovation. It does need to evolve [to where it’s] a proactive, service-driven solution rather than a reactive policy wording.”
If it can be engineered to work as a proactive service, then claims won’t need to be filed in the first place.
“We just need to make sure that we can mitigate cybercrime instead of acting reactively and crossing our fingers and hoping a claim doesn’t come through, as you would with most other product lines in the market,” said Nelson.
Prevention is a critical part of cyber protection, Jardine agreed.
“We look at it very much in three steps — predicting it, preventing it and responding to it,” he said. “That’s made us viable and profitable. We’ve had a very good loss ratio for the last few years…because we’re not just writing everyone. We’re writing the classes [of business] that are taking an active approach to being cyber secure and cyber aware.”
This article is excerpted from on that appeared in the February-March edition of Canadian Underwriter. Feature image by iStock.com/Muharrem huner